Section 68 IAC 26-2-2 - Internal controlsAuthority: IC 4-33-24-13
Affected: IC 4-33; IC 5-14; IC 20-18-2-4; IC 20-18-2-7
Sec. 2.
(a) The game operator must submit for approval under 68 IAC 11 internal controls for the following:(1) Procedures to handle security incidents, which may include system failures, loss of service, breaches of confidentiality, and malicious intrusion.(2) In addition to the normal contingency plans, these internal controls shall include the following: (A) Analysis and cause of the security incident.(C) Planning and implementation of corrective action to prevent recurrence.(D) Communication with those affected by or involved with recovery from the security incident.(E) Reporting of the action to the executive director or executive director's designee.(3) Action to recover from security breaches and correct system failures shall be carefully and formally controlled; the procedures shall ensure the following:(A) Only clearly identified and authorized personnel are allowed access to live systems and data.(B) Emergency actions taken are documented in detail.(C) Emergency action is reported to management and reviewed in an orderly manner.(D) The integrity of the paid fantasy sports game platform is confirmed with minimal delay.(E) Reporting of the action to the executive director or executive director's designee.(4) Testing to ensure that the paid fantasy sports game platform meets or exceeds current industry standards.(5) Notifying game participants of potential tax liabilities and providing required federal and state tax forms when a game participant has six hundred dollars ($600) or more in net winnings in a calendar year.(6) Identifying and prohibiting self-restricted game participants.(7) Confirming age and identity verification protocol to prohibit game participants that are less than eighteen (18) years of age from participating in paid fantasy sports games and to authenticate the legal name and physical address of each game participant. Details of the age and identity verification must be kept in a secure manner.(8) Instituting a process to close out dormant accounts.(9) Verifying geolocation system to establish game participant geographic location.(10) Segregating game participant account funds from a game operator's operational funds.(11) Maintaining the security of identity and financial information of game participants.(12) Preventing game operator employees, or a licensee with whom the game operator has entered into a contract, and any relative of a game operator employee living in the household of the game operator employee, from competing in a paid fantasy sports game where the cash prize exceeds five dollars ($5).(13) Preventing an owner, director, or officer of the game operator, or a licensee with whom the game operator has entered into a contract, from being a game participant in a paid fantasy sports game offered by the game operator.(14) Preventing game operator employees, or a licensee with whom the game operator has entered into a contract, from sharing confidential information that could affect paid fantasy sports game play with third parties until the information is made publicly available.(15) Preventing an individual who is a player, game official, or other participant in an actual sporting event or competition from participating in a paid fantasy sports game that is determined in whole or in part on the performance of that individual, the individual's actual team, or the accumulated statistical results of the sporting event or competition in which the individual is a player, game official, or other participant.(16) Disclosing the number of paid fantasy sports games a game participant may enter, and preventing game participants from entering into more than the maximum number of allowed paid fantasy sports games.(17) Maintaining a reserve in the form of cash, cash equivalents, an irrevocable letter of credit, a bond, or a combination of these sources that is equal to the amount of money deposited in paid fantasy sports game accounts of game participants.(18) Detecting and preventing the misuse of proxy servers.(19) Preventing the use of unauthorized scripts.(20) Withholding winnings from delinquent child support obligors in accordance with IC 4-33-24.(21) Preventing the advertisement of paid fantasy sports contests in any publication or medium that is aimed exclusively at juveniles, or advertising a paid fantasy sports contest and running promotional activities concerning a paid fantasy sports contest at any of the following:(A) Elementary schools, as defined by IC 20-18-2-4.(B) High schools, as defined by IC 20-18-2-7.(C) Sports venues used exclusively for: (i) elementary school, as defined by IC 20-18-2-4; or(ii) high school, as defined by IC 20-18-2-7; student sports activities.
(22) Any other internal control deemed necessary by the executive director or the executive director's designee.(b) The game operator shall submit internal control procedures to the commission for review and approval within one hundred eighty (180) days after submitting an application for licensure.(c) The game operator shall stamp or otherwise mark each page of the internal control procedures submitted to the commission with the word "CONFIDENTIAL" if the material submitted is not subject to disclosure under IC 4-33 or IC 5-14.Indiana Gaming Commission; 68 IAC 26-2-2; filed 1/22/2018, 3:49 p.m.: 20180221-IR-068170224FRAReadopted filed 10/1/2024, 9:32 a.m.: 20241030-IR-068230797RFA